Method, system and apparatus for effecting targeted access to anonymous users of a network

ABSTRACT

A method, system, and apparatus for effecting targeted access to anonymous users of a network is provided. A second entity delineates parameters of an audience with heightened interest in an offering, and a first entity provides the second entity with access to an audience accordant with these parameters. Consumer data collected by a network connected appliance used by an appliance user is linked with an appliance user anonymous identifier, and communicated to the first entity. Using the parameters, the first entity analyzes the collected consumer data and aggregates the appliance user&#39;s anonymous identifier with anonymous identifiers of other appliance users, thereby generating an aggregate set of anonymous identifiers that point to members of the audience. This set is marked with an identification code that is communicated to the second entity that can be used by the second entity to gain access to the audience through the first entity.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of co-pending U.S. Non-Provisional application Ser. No. 13/802,243 filed Mar. 13, 2013.

BACKGROUND OF INVENTION

1. Field of Invention

In general this invention relates to the promoting of content, products or services through use of an electronic network, without compromising the privacy and security of the users of the network. In particular, it relates to accessing anonymous users of a network and communicating to these users offers for content, products or services targeted to their interests.

2. Discussion of Related Art

Consumer data, that is data collected by a network connected appliance as a result of a consumer's use of the appliance, is being provided to a wide range of entities for the purpose of promoting content, products or services offered by many of these entities. Such promotion may be effected by delivering promotional campaigns, often in the form of advertisements, from suppliers of goods or services; publishers of news, commentary or entertainment content; creators of news, commentary or entertainment content; or advertising agencies, among others, to individual consumers, or groups of consumers, that are targeted through use of such collected consumer data. The collected consumer data are analyzed to determine the interests of individual consumers or groups of consumers, and those consumers that are believed to possibly have a particular interest in the content, products or services being offered are targeted with the advertisement, or advertisements, that comprise the promotional campaign. These advertisements may accompany, or be embedded within, content such as news, multimedia entertainment, and searched for information viewed by the consumer.

The collected consumer data used to determine the characteristics of advertisements or promotional campaigns that best target particular consumers or consumer groups include consumers' product interests, product preferences, network browsing history, physical location and personal data. The appliance used for delivering such targeted advertisements is often the same appliance that is employed to collect the consumer's data. Since the collection of this data is carried out, in many cases, without the consumer's knowledge or consent, the entity collecting such data is often accused of compromising the consumer's privacy and security while attempting to promote their content, products or services. Therefore, this practice has caught the attention of lawmakers around the world, especially in the 30 states of the European Economic Area, the United States, Australia and South Korea, and has led to legislation directed to controlling the collection, secure use, and storage of consumer data. Although there can be a high economic cost associated with violating these laws, due to an increasing number of strict regulations with harsh penalties being enacted, and there is consumer opposition to the unauthorized use and sharing of consumer data, a large number of organizations have chosen to work toward complying with the often conflicting government regulations, instead of discontinuing the practice of collecting consumer data from network connected appliances. This course of action has, in many cases, been chosen because collected consumer data provides much of the business intelligence needed to achieve the organization's business objectives and product promotion goals. These organizations are therefore working towards incorporating meaningful data security and privacy policies into their business practices, at great expense, in an effort to achieve sufficient compliance with the government privacy regulations in the regions of the world in which they operate.

However, due to the many entities currently participating in each on line advertising transaction that employ and share consumer data, attempting to comply with government privacy regulations is problematic. FIGS. 1 and 2 illustrate why this is so. FIG. 1 is a block diagram of a current example on line advertising transaction, and FIG. 2 is a flowchart of a current example on line advertising transaction. In the following discussion, all reference numbers between 100 and 199 designate elements of FIG. 1 and all reference numbers between 200 and 299 designate elements of FIG. 2. As can be seen from FIG. 1, the participants in an on line advertising transaction may include: Advertiser 105, Media Agency 110, Demand Side Platform (DSP) 115, Data Management Platform (DMP) 120, Supply Side Platform (SSP) 125, Ad Exchange 130, Content Delivery Network 135, Publisher 140, Data Sources 150, and Network Connected Appliance 145. Advertiser 105, Media Agency 110 and Publisher 140 are shown in FIG. 1 as separate participants, although Advertiser 105 could possibly be a supplier of goods or services, a publisher of news, commentary or entertainment content, a creator of news, commentary or entertainment content, or an advertising agency, and thus encompass the roles played by Media Agency 110 and Publisher 140. However, in many on line advertising transactions these participants are separate actors, thus, for reasons of completeness, they are called out separately. Consumer data collected by Network Connected Appliance 145 as a result of a consumer's use of the appliance, tracks many aspects of the appliance user's on line behavior. This data is communicated over line 139 of FIG. 1 to Data Sources 150, where it is often augmented with additional specific real world appliance user data collected by the entities that comprise Data Sources 150. Such entities include data services that collect and amass offline (real world) consumer data, consumer demographics, and web analytics, in addition to data services that collect and amass on line consumer data. Such data services can include credit card suppliers, financial institutions, credit scoring agencies, social networking sites, gaming sites, on line e-tailers, brick and mortar department stores, energy companies, utilities and super markets, among many others. DMP 120 receives augmented consumer data over line 127 from Data Sources 150, and provides raw and processed versions of the data to Advertiser 105, Media Agency 110, DSP 115, SSP 125, and Publisher 140. over lines 111, 113, 109, 123, and 153 respectively.

In Block 200 of FIG. 2, Advertiser 105 of FIG. 1 initiates an on line advertising campaign with the goal of promoting their content, product or service to the maximum degree possible. In addition, Advertiser 105 defines targeted consumer attributes of an audience with a heightened interest in their content, product or service and therefore would be susceptible to their advertising campaign. In Block 202, Media agency 110 creates the advertising campaign in accordance with Advertiser 105's targeted consumer attributes. In Block 204 Supply Side Platform (SSP) 125 determines audience reach of publishers on their platform using data from Publisher 140 and DMP 120, and obtains ad space availability, along with the specifications of the ad space, from publishers. These specifications may include the size of the available ad space, the location of the ad space with respect to other web page elements, and the content being published in the space located adjacent to and surrounding the available ad space, among others. In the example of FIGS. 1 and 2 this information is communicated to DSP 115 through DMP 120. Going through DMP 120 provides the opportunity for DMP-120 to augment the information with processed data and data from Data Sources 150 before it is communicated to DSP 115. Such processed data may include an analysis of consumer data collected from appliance users who have previously visited the publisher's website, an analysis of the demographics of the audience usually served by the publisher, an analysis of the possible affect on the advertiser's brand by the content in close proximity to the location of the available ad space, and an analysis of how advertising content and content layout can be optimized for effectiveness in the available ad space. In Block 206 DSP 115 determines an appropriate advertising campaign publisher utilizing the ad campaign received from Media Agency 110, and data from DMP 120. In Block 208 Ad Exchange 130 manages negotiations between DSP 115 and SSP 125 for the buying of ad space from a publisher on the SSP. At the conclusion of negotiations, DSP 115 selects a publisher to publish the ad campaign. In the example of FIGS. 1 and 2 Publisher 140 is selected. DSP 115 then delivers the ad campaign to Ad Exchange 130, Ad Exchange 130 delivers the ad campaign to Content Delivery Network 135 and Publisher 140 delivers the available ad space to Content Delivery Network 135, as shown in Block 210. In Block 212 Content Delivery Network combines the ad campaign from Ad Exchange 130 with the ad space from Publisher 140 and delivers the result to Publisher 140. The combined ad campaign and ad space is then published by Publisher 140 to the Web in Block 214 and the appliance user views the web published ad campaign on Network Connected Appliance 145 in Block 216.

In the above example at least 6 different entities could receive the consumer data collected by Network Connected Appliance 145, thus placing the users of the network from which the consumer data was collected at a risk of having their privacy and security compromised. These entities include: DMP 120, Advertiser 105, Media Agency 110, DSP 115, SSP 125 and Publisher 140. In addition, the entities that comprise Data Sources 150, entities that collect and supply consumer data from both a consumer's use of their network connected appliance and from real world consumer activities, have access to the consumer data they collect. It is therefore clear that there exists a need for a network based consumer data collection and provisioning approach that allows organizations to obtain the consumer data derived business intelligence they require to promote their content, products or services, while minimizing the risk of compromising the privacy and security of the consumers who use the network.

SUMMARY OF INVENTION

The present invention provides a method, system, and apparatus for effecting targeted access to anonymous users of a network. It performs this function by obtaining authorization from a user of a network connected appliance to collect and communicate to a first entity consumer data resulting from the user's use of the appliance; collecting the consumer data by use of the network connected appliance; linking the collected consumer data with an appliance user anonymous identifier; communicating the consumer data and appliance user's anonymous identifier to the first entity; analyzing the data at the first entity by the use of one or more delineated parameters, where the delineated parameters define an audience with heightened interested in an offering of a second entity; aggregating at the first entity the appliance user's anonymous identifier with a set of appliance user anonymous identifiers linked with consumer data of other appliance users, such that each appliance user anonymous identifier included in the aggregate set points to an appliance user whose collected consumer data corresponds to at least one parameter in common with the collected consumer data of the other appliance users whose anonymous identifiers are included in the aggregate set, thus generating an aggregate set of appliance user anonymous identifiers that point to the audience, where the audience includes the appliance user; marking the aggregate set with an identification code; communicating the identification code from the first entity to the second entity; and providing the second entity with access to the audience through the first entity by use of the aggregate set identification code. The second entity could, for example, be a supplier of goods or services, a publisher of news, commentary or entertainment content, a creator of news, commentary or entertainment content, or an advertising agency, among others. This provides the second entity with access to an audience meeting desirable parameters, without disclosing to the second entity any audience member consumer data, thus preserving the audience members anonymity, privacy and security. The second entity may use this access to promote content, products or services of particular interest to the qualified anonymous audience, using the electronic network. The electronic network employed by the network connected appliance of the present invention may, for example, be the Internet. In addition, one or more parameters used by the first entity to analyze the collected network connected appliance user consumer data, and define an audience with heightened interested in an offering of the second entity, may be provided by the second entity. In this case, the resulting audience may be wholly, or in part, defined by the second entity.

The network connected appliance for collecting and communicating to the first entity an appliance user's consumer data resulting from the user's use of the appliance can be comprised of a processor, a memory, a network communications interface and a computer program stored in the memory and executed on the processor. Such a computer program could, for example, be downloaded from the first entity in the form of a software application. When these elements are employed to implement the network connected appliance of the present invention, the processor obtains authorization from the appliance user to collect and communicate the appliance user's consumer data to the first entity; the processor generates an appliance user anonymous identifier; the processor collects appliance user's consumer data; the processor links the generated appliance user anonymous identifier with the collected consumer data; and the network communications interface communicates the consumer data and appliance user anonymous identifier to the first entity. Prior to communication to the first entity, the processor may also encrypt the collected consumer data and/or perform in-appliance de-identification of the collected consumer data. The de-identification removes personally identifiable information (PII) from the collected consumer data and the encryption protects consumer data privacy and security.

The network communications interface of the appliance of the present invention, can also be used to receive communications from the first entity. Included in these received communications can be product, service or other offer descriptions provided to the first entity from the second entity for dissemination to an audience that meets delineated parameters and therefore has a heightened interested in an offering of the second entity, as discussed above. These communications from the first entity provide the second entity with access to the audience. In this example, the appliance user is a member of the audience, thus the second entity is provided access to the appliance user. Such a communication may be in the form of a simple list of second entities with offer descriptions that includes information as to how the user of the networked connected appliance can take advantage of the offer, such as the ad campaign website address where the offer is available. This would allow the appliance user to click on, or touch, a list item and be connected to the ad campaign website where the appliance user can obtain further information on the offer and, if desired, purchase the offered product or service. The communication may also be significantly more elaborate, including promotional materials provided by the second entity, or on behalf of the second entity, designed to motivate the appliance user to engage with the content, service or product being offered. Such material may include games, videos, short or long form multimedia entertainment content, or audio visual presentations synchronized with, or related to, presentations appearing on other appliances employed by the appliance user.

As previously described, an aggregate set of anonymous appliance user identifiers, that point to a defined audience that includes the appliance user, is generated by the first entity. The aggregate set is marked with an aggregate set identification code, and the code is communicated to the second entity by the first entity. This code can be used by the second entity to inform the first entity the particular audience the second entity would like to address, with, for example, offers or promotional materials communicated to the first entity. It can also be used to verify that an appliance user in communication with a second entity's ad campaign website is a member of the selected audience. However, the code cannot be employed by the second entity to directly contact the appliance user.

At the time that the appliance user initiates communication with a second entity's ad campaign website, for example by clicking on an offer description, the network communication interface of the appliance of the present invention can communicate a message that includes the appliance user's anonymous identifier to the first entity, such message indicating that the appliance user has initiated communication with an ad campaign website of the second entity, and the second entity website the appliance user is in communication with. The first entity can then communicate to the network communication interface of the appliance a message that includes the identification code communicated to the second entity that identifies the audience in which the appliance user is a member and to which the second entity's offer description has been communicated to. The network communication interface of the appliance can in turn communicate this identification code to the second entity through the second entity's campaign website. This allows the second entity to compare the identification code communicated by the appliance's network communication interface with the identification code communicated to the second entity by the first entity and verify that the appliance user who is communicating with the second entity's campaign website is a member of the audience the second entity wishes to address. This verifies the authenticity of the appliance user as a qualified potential buyer of the second entity's offerings.

Thus, without compromising appliance user privacy or security, the present invention provides the second entity with verifiable access to a set of qualified appliance users who are members of an audience that have indicated by their consumer data that they are potentially interested in an offering of the second entity, thus greatly enhancing the second entity's ability to promote their content, product or service.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings are not intended to be drawn to scale. In the drawings, each identical or nearly identical component that is illustrated in various figures is represented by a like numeral. For purposes of clarity, not every component may be labeled in every drawing. In the drawings:

FIG. 1 is a block diagram of a current example on line advertising transaction [Prior Art];

FIG. 2 is a flowchart of a current example on line advertising transaction [Prior Art];

FIG. 3 is an on line advertising transaction block diagram of the preferred embodiment of the present invention;

FIG. 4 is an on line advertising transaction flowchart of the preferred embodiment of the present invention;

FIG. 5 is a block diagram of a Secure Consumer Data Exchange of the preferred embodiment of the present invention;

FIG. 6 is a block diagram of a network connected appliance of the preferred embodiment of the present invention;

FIG. 7 is a process flowchart of a network connected appliance of the preferred embodiment of the present invention;

FIGS. 8A and 8B illustrate example offer display screens presented to a user of a network connected appliance of the preferred embodiment of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENT

The present invention will now be described more fully hereinafter with reference to the accompanying drawings, which form a part thereof, and which show, by way of illustration, a specific embodiment by which the invention may be practiced. The invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein; rather, this embodiment is provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Among other things, the present invention may be embodied as methods or devices. Accordingly, the present invention may take the form of an entirely hardware embodiment, and entirely software embodiment or an embodiment combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.

Throughout the specification and claims, the following terms take the meanings explicitly associated herein, unless the context clearly dictates otherwise. The phrase “in one embodiment” as used herein does not necessarily refer to the same embodiment, though it may. As used herein, the term “or” is an inclusive “or” operator, and is equivalent to the term “and/or”, unless the context clearly dictates otherwise. The term “based on” is not exclusive and allows for being based on additional factors not described, unless the context clearly dictates otherwise. In addition, throughout the specification, the meaning of “a”, “an”, “and” and “the” include plural references. The meaning of “in” includes “in” and “on”. Also, the use of “including”, “comprising”, “having”, “containing”, “involving”, and variations thereof herein, is meant to encompass the items listed thereafter and equivalents thereof as well as additional items.

The present invention effects verifiable targeted access to a set of anonymous users of a network. Such users are members of a defined audience, where such audience is defined by use of consumer data collected by the appliances used by the anonymous network users to connect and interact with the network. Collected consumer data is employed to select audience members that have shown a heightened interest in, for example, particular content, products or services. A second entity, such as a provider of content, products or services, seeking access to a pre-qualified audience, or a media agency working on behalf of such a provider, defines targeted consumer attributes. These consumer attributes are employed to derive delineated parameters that are communicated to a standalone service provider called a Secure Consumer Data Exchange, or SCDE. This first entity employs the delineated parameters, along with consumer data communicated to the first entity by the appliances used by anonymous network users, to generate the desired audience member set, and thereafter effect second entity access to the members of the set. Although the first entity is described as a “standalone service provider” in the following discussion of the present invention's preferred embodiment, the first entity may take many forms. For example, the first entity could be an operating unit of a multidisciplined company, such as AT&T Cloud Services, Amazon Web Services, or Google Cloud Platform.

FIGS. 3 and 5, in conjunction with the flow chart of FIG. 4, are employed in the following discussion to illustrate the operation of the preferred embodiment of the present invention in the context of an on line advertising transaction. Although an on line advertisement transaction is used for purposes of clarity, the present invention is directed towards targeted access for the purpose of data delivery in general, therefore the following discussion should not be read as being limited to targeted access for the purpose of only advertisement delivery. FIG. 3 is an on line advertising transaction block diagram of the preferred embodiment. FIG. 5 is a block diagram of a Secure Consumer Data Exchange of the preferred embodiment, and FIG. 4 is an on line advertising transaction flowchart of the preferred embodiment. In this discussion, all reference numbers between 300 and 399 designate elements of FIG. 3, all reference numbers between 400 and 499 designate elements of FIG. 4, and all reference numbers between 500 and 599 designate elements of FIG. 5.

As can be seen from FIG. 3, the entities participating in an on line advertising transaction of the present invention are Advertiser 305, Media Agency 310, Data Management Platform (DMP) 320, Data Sources 325, Content Sources 330, Publisher 340 in conjunction with Ad Campaign Website 350, Network Connected Appliance 345, Proxy Server 315, and Secure Consumer Data Exchange (SCDE) 360. In following discussion of the preferred embodiment of the present invention, Media Agency 310 works on behalf of Advertiser 305. Consumer data is collected by Network Connected Appliance 345 as a result of a consumer's use of the appliance and linked by Network Connected Appliance 345 with an appliance user anonymous identifier, as shown in Block 450 of FIG. 4. Collected consumer data may include, for example: the websites the appliance user visited; what news articles, entertainment content product descriptions and advertisements were clicked on by the appliance user; the search terms used by the appliance user while searching for Internet content; what products or services were purchased by the appliance user on line; what social networking websites, association websites, and blogs the appliance user visited; how long the appliance user remained connected to each website; the physical location of the appliance user at predetermined time intervals; and what “brick and mortar stores” the appliance user visited.

In FIG. 3. the appliance user's collected consumer data and anonymous identifier is communicated over line 395 to Proxy Server 315, and then from Proxy Server 315 this data are communicated over line 365 to first entity SCDE 360. Proxy Server 315 is employed to reduce the possibility that information regarding the Internet Protocol address (IP address) employed by the network connected appliance used by the appliance user will be available to SCDE 360. This can enhance the appliance user's anonymity and thereby provide the appliance user with increased security, reducing appliance user concerns that their collected consumer data may be associated with them. Strictly speaking Proxy Server 315 is not necessary for the proper operation of the present invention. SCDE 360 analyzes the consumer data and aggregates the appliance user's anonymous identifier with a set of other appliance user anonymous identifiers whose collected consumer data corresponds to at least one common delineated parameter. The aggregation process is based on the results of the analysis. These actions are indicated in Block 452. Delineated parameters used in the analysis and aggregation processes can be communicated to SCDE 360 from Media Agency 310, working on behalf of Advertiser 305, the Second Entity in this discussion This data is communicated between Media Agency 310 and SCDE 360 over line 380.

As used in this discussion, the term consumer attributes denotes characteristics inherent in the group of consumers Advertiser 305, or Media Agency 310 on behalf of Advertiser 305, wishes to target with an advertising campaign. Therefore, if Advertiser 305 asks Media Agency 310 to promote a new restaurant in Palo Alto, Calif., henceforth referred to as the “Palo Alto example”, such consumer attributes could include: liking a wide variety of cuisines; enjoying 2 star or above restaurants; living, working, shopping, or dining in or in the vicinity of Palo Alto, Calif.; and, eating at restaurants often. Delineated parameters are numeric quantities assigned to actions associated with individuals who display particular consumer attributes. Therefore in the current example, delineated parameters could include: visiting restaurant review websites (Yelp for example) at least once a week; viewing menus from Palo Alto restaurants whose prices range from $11 to $60 per meal without drinks; viewing 2 or more restaurant websites per month for more than 5 minutes each; viewing the websites of multiple restaurants, wherein at least 3 of the restaurants viewed serve different cuisines from each other; being physically in Palo Alto, or within 10 miles from Palo Alto, at least 3 times a week; and remaining at a location for between 30 and 90 minutes, at least once a week, where at such location at least 1 restaurant is known to be located.

If Media Agency 310 wishes the aggregate set of appliance user anonymous identifiers generated by SCDE 360 to reflect a broad range and large number of appliance users, Media Agency 310 could ask SCDE 360 to include in the aggregate set the anonymous identifiers of all appliance users whose collected consumer data satisfies a single delineated parameter. For example, the aggregate set could be comprised of the anonymous identifiers of appliance users who are physically in Palo Alto, or within 10 miles from Palo Alto, at least 3 times a week. Should Media Agency 310 desire a more focused aggregate set of appliance user anonymous identifiers, SCDE 360 could employ a second delineated parameter in addition to the first delineated parameter. In this case, only the anonymous identifiers of appliance users whose collected consumer data satisfies both delineated parameters would be included in the set. Therefore, the more focused aggregate set of appliance user anonymous identifiers may only include the anonymous identifiers of appliance users who are physically in Palo Alto, or within 10 miles from Palo Alto, at least 3 times a week, and view 2 or more restaurant websites per month for more than 5 minutes each. Although 2 delineated parameters have been discussed, any number of delineated parameters could be employed in the analysis and aggregation processes making it possible to generate very focused sets of appliance user anonymous identifiers.

As shown in Block 406 of FIG. 4, Media Agency 310 communicates one or more consumer attributes, or one or more delineated parameters, along with an ad campaign number relating the attributes or delineated parameters to a particular ad campaign, to SCDE 360. SCDE 360 employs these consumer attributes or delineated parameters to analyze consumer data received from Network Connected Appliance 345 and determine if the anonymous identifier associated with the user of Appliance 345 should be included in the aggregate set of anonymous identifiers that represent appliance users with an interest in content, product or services offered by Advertiser 305, as shown in Block 452. In the case of Media agency 310 communicating consumer attributes to SCDE 360, SCDE 360 would derive delineated parameters from these consumer attributes to use in the set aggregation process. In the case of Media Agency 310 communicating delineated parameters to SCDE 360, SCDE 360 would use these received delineated parameters directly. Block 406 also shows that Media Agency 310 may communicate one or more selection algorithms to SCDE 360. A selection algorithm can be employed by SCDE 360 for determining the anonymous identifiers to be included in the aggregate set. Such an algorithm may use numeric input arguments derived from delineated parameters to effect such selection. The algorithm may use a single argument or multiple arguments. Further, the algorithm may assign weights to the arguments, such that some arguments have more influence on the selection results than others. In addition, the algorithm may base the weighting of some of the arguments on the value of one or more of the other arguments.

The algorithm may be defined in the form of a computer procedure. An example computer procedure is defined below, using the “Palo Alto example”. In this example, written in the Scheme programming language conforming to the “Revised⁵ Report on the Algorithmic Language Scheme”, edited by Richard Kelsey, William Clinger, and Jonathan Rees, dated Feb. 20, 1998, the computer procedure is written as a Scheme “predicate”. By convention, Scheme procedures that always return a Boolean as their value are called predicates and their names usually end in “?”. The defined Scheme predicate “add-to-aggregate-set?” employs numeric input arguments whose ranges are predetermined. The procedure returns “#t”, the Scheme notation for “True”, should the calculated value derived from the numeric input arguments included in the call to the procedure equal or exceed a threshold value and meet some other criteria, and “#f”, the Scheme notation for “False”, should the calculated value derived from the numeric input arguments included in the call to the procedure not equal or exceed a threshold value or not meet some other criteria. If the procedure indicates #t, the appliance user's anonymous identifier is included in the aggregate set of appliance user anonymous identifiers generated by SCDE 360. If the procedure indicates #f, the appliance user's anonymous identifier is not included in the aggregate set of appliance user anonymous identifiers generated by SCDE 360.

In the following example Scheme procedure, ap1 through ap6, w1 through w6, “apmax” and “portion” are arguments included in the call to the procedure. In the case of the arguments ap1 through ap6, each of these arguments indicates the degree the appliance user's collected consumer data satisfies a delineated parameter used in the “Palo Alto example”. Specifically:

-   -   ap1=a number from 0 to 100, where 0 indicates the appliance         user's collected consumer data shows the appliance user does not         visit restaurant review websites, and 100 means the appliance         user's collected consumer data shows, on average, the appliance         user visits at least 10 restaurant review websites per month;     -   ap2=a number from 0 to 100, where 0 indicates the appliance         user's collected consumer data shows the appliance user does not         view Palo Alto restaurant menus whose prices range from $11 to         $60 per meal without drinks on line, and 100 indicates the         appliance user's collected consumer data shows the appliance         user views, on average, Palo Alto restaurant menus whose prices         range from $11 to $60 per meal without drinks on line at least 5         times per month;     -   ap3=a number from 0 to 100, where 0 indicates the appliance         user's collected consumer data shows the appliance does not view         restaurant websites and 100 indicates the appliance user's         collected consumer data shows the appliance user views, on         average, at least 10 restaurant websites, for more than 5         minutes each, per month;     -   ap4=a number from 0 to 100, where 0 indicates the appliance         user's collected consumer data shows the appliance user always         views the websites of restaurants that serve the same type of         cuisine, and 100 indicates the appliance user's collected         consumer data shows the appliance user views, over a period of 3         months, the websites of at least 5 restaurants whose cuisines         are different from each other;     -   ap5=a number from 0 to 100, where 0 indicates the appliance         user's collected consumer data shows the appliance user is never         physically in Palo Alto, or within 10 miles from Palo Alto, and         100 indicates the appliance user's collected consumer data shows         the appliance user is physically in Palo Alto, or within 10         miles from Palo Alto at least 5 times per week;     -   ap6=a number from 0 to 100, where 0 indicates the appliance         user's collected consumer data shows the appliance user never         remains at a location for between 30 and 90 minutes, where at         such location at least 1 restaurant is known to be located, and         100 indicates the appliance user's collected consumer data shows         the appliance user remains at a location for between 30 and 90         minutes, where at such location at least 1 restaurant is known         to be located, at least 3 times per week.

In the case of the arguments w1 through w6, each of these arguments are weights assigned to procedure arguments ap1 through ap6. These weights alter the influence each ap argument has on the result of the procedure. Specifically:

-   -   w1, w2, w3, w4, w5, w6 are ap1, ap2, ap3, ap4, ap5, ap6 argument         weightings respectively, each with a value from 0 to 2, where 0         indicates that 0% of the ap argument's value influences the         procedure result and 2 indicates that 200% of the ap argument's         value influences the procedure result.

In the case of the argument “apmax”, this argument is the maximum value assigned to each delineated parameter. In the example Scheme procedure, each delineated parameter is assigned the same maximum value, the minimum being 0, so only one apmax value is used. However, each delineated parameter may be assigned a different maximum value. Therefore, as many apmax values as there are delineated parameters could be included in the procedure.

In the case of the argument “portion”, this argument is a number between 0 and 1. The sum of maximum delineated parameter values, assigned to the variable “tapmax” in the example Scheme procedure, multiplied by “portion” equals the threshold value that needs to be attained or exceeded for the consumer's anonymous identifier to be included in the aggregate set of consumer anonymous identifiers.

The example Scheme procedure is defined as follows:

(define add-to-aggregate-set?  (lambda (apmax portion ap1 w1 ap2 w2 ap3 w3 ap4 w4 ap5 w5 ap6 w6) ; weight arguments; calculate “total apmax” = tapmax   (let* ((ap1w (* ap1 w1)) (ap2w (* ap2 w2))      (ap3w (* ap3 w3)) (ap4w (* ap4 w4))      (ap5w (* ap5 w5)) (ap6w (* ap6 w6))      (tapmax (* apmax (length (list ap1 ap2 ap3 ap4 ap5 ap6))))) ; add appliance user anonymous identifier to aggregate set?    (cond     ((and (>= ap1w 50)       (>= ap4w 60)       (>= ap6w 33)       (>= (+ ap1w ap2w ap3w ap4w ap5w ap6w) (* tapmax       portion)))     #t) ; yes, add anonymous identifier     (else #f))))) ; no, do not add anonymous identifier

In the above example Scheme procedure, the values of arguments ap1, ap2, ap3, ap4, ap5, and ap6, are obtained from the analysis of the appliance user's collected consumer data received over line 365. As previously stated, ap1 is defined as a number from 0 to 100, where 0 indicates the appliance user's collected consumer data shows the appliance user does not visit restaurant review websites, and 100 means the appliance user's collected consumer data shows, on average, the appliance user visits at least 10 restaurant review websites per month. Therefore, for collected appliance user consumer data that, when analyzed, shows the appliance user visits, on average, 5 restaurant review websites per month, ap1 could be assigned a value of 50 as a result of the analysis process.

Using the descriptions in the previous paragraphs for ap2 through ap6, and reasoning similar to that employed in the previous paragraph to assign a value to ap1, values could be assigned to ap2 through ap6 as follows:

-   a) If the collected appliance user's consumer data shows that the     appliance user views, on average, Palo Alto restaurant menus whose     prices range from $11 to $60 per meal without drinks on line at     least 2 times per month, ap2 could be assigned a value of 40 as a     result of the analysis process; -   b) If the collected appliance user's consumer data shows that the     appliance user views, on average, at least 5 restaurant websites,     for more than 5 minutes each, per month ap3 could be assigned a     value of 50 as a result of the analysis process; -   c) If the collected appliance user's consumer data shows that the     appliance user views, over a period of 3 months, the websites of 3     restaurants whose cuisines are different from each other, ap4 could     be assigned a value of 60 as a result of the analysis process; -   d) If the collected appliance user's consumer data shows that the     appliance user is physically in Palo Alto, or within 10 miles from     Palo Alto, 2 times per week, apt 5 could be assigned a value of 40     as a result of the analysis process; and -   e) If the collected appliance user's consumer data shows that the     appliance user remains at a location for between 30 and 90 minutes,     where at such location at least 1 restaurant is known to be located,     1 time per week, apt 6 could be assigned a value of 33 as a result     of the analysis process.

The values of arguments w1, w2, w3, w4, w5, and w6, alter the importance of arguments ap1, ap2, ap3, ap4, ap5 and ap6 respectively. The more important an “ap” argument is the greater the influence it has on the result of the “add-to-aggregate-set?” procedure. For example, Media Agency 310 may voice a desire to SCDE 360 to increase the number of anonymous identifiers in the aggregate set that are linked to the consumer data of appliance users who are physically in Palo Alto, or within 10 miles from Palo Alto on at least a weekly basis. This can be accomplished by changing the value of argument w5. If, for example, w5 was 1.0, argument ap5's effective influence on the result of the procedure would be 100% of its numerical value. By increasing w5 to 1.3, ap5's effective influence on attaining or exceeded the threshold value that needs to be reached for the consumer's anonymous identifier to be included in the aggregate set of consumer anonymous identifiers, would be increased by 30% to 130% of its numerical value. Thus, the number of anonymous identifiers in the aggregate set that are linked to the consumer data of appliance users who are physically in Palo Alto, or within 10 miles from Palo Alto on at least a weekly basis would increase.

The value of the argument “apmax” sets the maximum value of arguments ap1, ap2, ap3, ap4, ap5 and ap6. For ease of discussion, the “add-to-aggregate-set?” procedure is written such that all the “ap” arguments have the same maximum value, where this value is set by the use of a single “apmax” argument. In general, this need not be the case. The procedure could have been written to allow the maximum value of each “ap” argument to be different and set by separate arguments in the procedure call. Although “apmax” can be any value, a good value for the example procedure under discussion would be 100.

The value of the argument “portion” determines the threshold value that needs to be attained or exceeded for the appliance user's anonymous identifier to be included in the aggregate set of appliance user anonymous identifiers. An inspection of the “add-to-aggregate-set?” procedure's Scheme code shows how the argument “portion” plays this role. The Scheme code fragment:

-   -   (>=(+ap1w ap2w ap3w ap4w ap5w ap6w) (* tapmax portion))         calls for multiplying variable “tapmax” by argument “portion”,         where “tapmax” has been previously set in the procedure to:     -   (tapmax (* apmax (length (list ap1 ap2 ap3 ap4 ap5 ap6))))         or, using mathematical notation, to tapmax=(apmax*the number of         ap arguments). In other words, since, for this example, apmax is         the same value for each ap argument used in the         “add-to-aggregate-set?” procedure, tapmax is equal to the single         apmax argument times the number of ap arguments used in the         procedure. Referring back to the Scheme code fragment above, it         can be seen that the argument “portion” has the affect of         setting the value that needs to be attained or exceeded for the         appliance user's anonymous identifier to be included in the         aggregate set of appliance user's anonymous identifiers, since         if the sum of weighted arguments apw1, apw2 apw3, apw4, apw5 and         apw6 is equal to or exceeds (* tapmax portion), or in         mathematical notion (tapmax*portion), the appliance user's         anonymous identifier is included in the aggregate set. If it         does not, the appliance user's anonymous identifier is not         included.

To demonstrate how the argument “portion” acts to set the threshold value, and thereby alter the number of appliance user anonymous identifiers included in the set of anonymous identifiers, recall that in the call to the “add-to-aggregate-set?” procedure there are 6 arguments, ap1-ap6. These six arguments are derived from an analysis of the appliance user's collected consumer data based on 6 delineated parameters. Also recall that a good value for “apmax” is 100. Letting apmax equal 100 causes “tapmax” to equal 600, a constant value throughout the execution of the procedure. If the argument “portion” is chosen to be 0.50, the threshold value that needs to be attained or exceeded for the appliance user's anonymous identifier to be included in the aggregate set of appliance user anonymous identifiers is 300. Lowering the value of “portion” to, for example, 0.25, decreases the threshold value to 150 and thereby potentially increases the number of included appliance user anonymous identifiers by as much as 1.5 times. The actual amount of increase depends on a number of factors including: the number of appliance user consumer data sets employed in the consumer data analysis, the number of delineated parameters employed in the analysis, and the distribution uniformity of the consumer data with respect to the employed delineated parameters.

Included in the “add-to-aggregate-set?” procedure is another filtering process to further focus the generated aggregate set of anonymous appliance user identifiers in accordance with Media Agency 310's wishes. This filtering process is embodied in the following Scheme code fragment:

(and (>= ap1w 50)  (>= ap4w 60)  (>= ap6w 33)  (>= (+ ap1w ap2w ap3w ap4w ap5w ap6w)(* tapmax portion))) The last line of the “and” statement is the code fragment discussed in the preceding 2 paragraphs. For this “and” statement to result in a #t output, and thereby cause the execution of the “add-to-aggregate-set?” procedure to result in a #t output, all lines of the statement must be true. Specifically, ap1w must be greater than or equal to 50, apw4 must be greater than or equal to 60, apw6 must be greater than or equal to 33 and the sum of ap1w through ap6w must be greater than or equal to (tapmax*portion). Assuming the last line of the “and” statement is satisfied and the weights applied to arguments ap1, ap4 and ap6 are 1, Media Agency 310 could request, for example, that the aggregate set of appliance user anonymous identifiers at least include the anonymous identifiers of appliance users whose consumer data indicates that the appliance user visits, on average, 5 restaurant review websites per month ap1w>=50), the appliance user views, over a period of 3 months, the websites of 3 restaurants whose cuisines are different from each other (ap4w>=60), and the appliance user remains at a location for between 30 and 90 minutes, where at such location at least 1 restaurant is known to be located, 1 time per week (apt6w>=33).

As previously discussed, “add-to-aggregate-set?” procedure argument values ap1 through ap6 are generated by the analysis of appliance user consumer data communicated to SCDE 360 from Network Connected Appliance 345, through Proxy Server 315, over lines 395 and 365. Since Appliance 345 has access to Internet downloaded, appliance user generated, appliance user location, and appliance generated data sources, among other data sources, consumer data may be collected by Appliance 345 in many different formats. Such source formats could include text, binary, xml, sgml, html, portable document format (pdf), and Open Document Format (ODF), to name a few. For ease of analysis by SCDE 360, data in these disparate formats is converted by Appliance 345 into a common format before being communicated to SCDE 360, although SCDE 360 could receive variably formatted data from Appliance 345 and convert the data into a common format for analysis. In the preferred embodiment of the present invention herein discussed, Appliance 345 converts collected consumer data into the comma delimited Comma Separated Value (CSV) text file format, where each data element is separated from the following data element by an ASCII comma character. Other data file formats can be used. The first data element of the CSV text file communicated to SCDE 360 from Appliance 345 through Proxy Server 315 is the appliance user's anonymous identifier, although the appliance user's anonymous identifier could appear as the last element of the file, or in any other predefined position of the file. The second element is a time stamp data element, where the time stamp data is generated by Appliance 345's real time clock. This element designates the date and time the following data element was collected by Appliance 345. The third element of the CSV text file contains a first collected consumer data element. The fourth element is a time stamp data value element, and the fifth element is a second collected consumer data element. The pattern of time stamp data element followed by collected consumer data element continues throughout the rest of the file. The collected consumer data element could contain, for example, the Uniform Resource Locater (URL) address of a web page on the world wide web visited by the appliance user, the URL of a hyperlink on the visited web page over which the appliance's pointing device passed or the appliance user clicked on, the length of time the appliance user remained on a particular web page, the Universal Product Code (UPC) of a product or service purchased by the appliance user while using the appliance, the Global Positioning System (GPS) coordinates of the appliance user at the location where the appliance user is using the appliance, or the appliance user's location coordinates derived from the positions of cell towers and Wi-Fi access points at the location where the appliance user is using the appliance. The collected consumer data element could also contain other data related to the appliance user's use of the appliance. After collecting appliance user consumer data for a predetermined period of time, collecting a predetermined number of consumer data elements, or collecting consumer data elements until a predetermined event occurs, and forming one or move CSV text files, each containing collected appliance user consumer data and the appliance user's anonymous identifier, Appliance 345 encrypts the data and communicates the encrypted data to SCDE 360 through Proxy Server 315.

SCDE 360 receives the encrypted CSV files from Network Connected Appliance 345 through Proxy Server 315, stores the files in encrypted form on Data Storage Unit 509 of FIG. 5, and decrypts the files when required, readying the appliance user consumer data contained in the CSV files for analysis. Strictly speaking, the storage of received appliance user consumer data in encrypted form is not required. However, such encrypted data storage increases the security of the data stored on Data Storage Unit 509, which is an important factors in: a) providing the user of Appliance 345 with confidence that their consumer data is protected and unavailable to entities that should not have access to their data, and b) facilitating compliance with government consumer privacy legislation and regulations. The SCDE 360 processes to be discussed are performed on Enterprise Server 500 of FIG. 5. Outlined double headed Arrow 503 indicates that Processes 505 take the physical form of software stored on Data Storage Unit 509 which is executed on High Performance CPU 513 in conjunction with High Speed Random Access Memory (RAM) 511. As shown in FIG. 5, Interface With User Appliance Process 517 uses Network Communication Interface 515 in conjunction with Network Connection Line 507, Data Storage Process/Retrieval Process 521, and Encryption/Decryption Process 525, to effect communication with Network Connected Appliance 345 through Proxy Server 315 over Line 365. Inter-process Communication 519 serves as the data conduit between Process 517 and Process 521, and Inter-process Communication 523 serves as the data conduit between Process 521 and Process 525.

Consumer Data De-Identification (De-ID)/Combining Process 533 receives decrypted CSV file data from Encryption/Decryption Process 525 through Inter-process Communication 531, and performs de-identification processing of the consumer data contained within the CSV file. Although not strictly required for the operation of the preferred embodiment of the present invention, such de-identification processing may be employed to enhance the privacy of the user of Appliance 345. As will be later discussed, de-identification may be performed by Appliance 345 before the encrypted CSV file is communicated to SCDE 360. In this case, de-identification processing need not be repeated by Process 533. The de-identified consumer data in the form of decrypted and de-identified CSV text file data is output from Process 533 and communicated through Inter-process Communication 531 to Encryption/Decryption Process 525 where it is encrypted and communicated to Data Storage/Retrieval Process 521 through Inter-process Communication 523 for storage in encrypted form on Data Storage Unit 509. Each time SCDE 360 receives a CSV file containing the same appliance user anonymous identifier as a CSV file previously stored on Data Storage Unit 509, regardless of the network connected appliance from which it is received, the received file is decrypted by Process 525 and communicated to Process 533 through inter-process communication 531, along with decrypted versions of the previously stored encrypted stored CSV files containing the same appliance user anonymous identifier. Process 533 combines the consumer data contained in these files and communicates the combined consumer data file through Inter-process Communication 531 to Encryption/Decryption Process 525 where it is encrypted and communicated to Data Storage/Retrieval Process 521 through Inter-process Communication 523 for storage in encrypted form on Data Storage Unit 509. Thus, consumer data files containing the same appliance user anonymous identifier, received over multiple communications from multiple network connected appliances, may be caused to reside in a single encrypted CSV file on Storage Unit 509. It will be obvious to one skilled in the art that multiple files containing the same appliance user anonymous identifier that are logically linked, allowing them to be retrieved or processed together, may be stored in place of a single file.

The following 4 processes, Consumer Data Parsing And Grouping Process 537, Consumer Data Argument Generation Process 541, Appliance User Anonymous Identifier Selection Process 545, and Appliance User Anonymous Identifier Aggregation And Aggregate Set Identification Code Marking Process 549, comprise the 4 stages of appliance user collected consumer data analysis performed by SCDE 360. An encrypted consumer data file, is retrieved from Storage Unit 509, through the use of Data Storage/Retrieval Process 521 and Encryption/Decryption Process 525, and communicated in decrypted form through Inter-process Communication 535 to Process 537. Process 537 parses and groups this decrypted file into delineated parameter categories. To illustrate using the “Palo Alto example”, the categories could be chosen to correspond to the definitions of arguments ap1-ap6 of the “add-to-aggregate-set?” procedure discussed above. Many text data search programs, such as sgrep and agrep, in combination with scripting languages such as Python, Ruby, Perl. Tcl, Guile, Gauche, and Scsh can be employed to perform this parsing and grouping. The resulting output from Process 537, is a CSV text file where the first data element of the CSV text file is the appliance user's anonymous identifier, the second element is a time stamp data element that indicates the date and time the following data element was collected, and the third element is a collected consumer data element. However, the CSV text file's time stamp data and collected consumer data elements are now grouped in accordance with the definitions of arguments ap1-ap6. Such groupings could be delimited by 2 empty element positions in a row, in other words 3 commas directly following one another. As a simplified example, let all ap arguments be equal to zero except for arguments ap1 and ap6. Recall that argument ap1 is defined as: a number from 0 to 100, where 0 indicates the appliance user's collected consumer data shows the appliance user does not visit restaurant review websites, and 100 means the appliance user's collected consumer data shows, on average, the appliance user visits at least 10 restaurant review websites per month. Also recall that argument ap6 is defined as: a number from 0 to 100, where 0 indicates the appliance user's collected consumer data shows the appliance user never remains at a physical location for between 30 and 90 minutes, where at such location at least 1 restaurant is known to be located, and 100 indicates the appliance user's collected consumer data shows the appliance user remains at a physical location for between 30 and 90 minutes, where at such location at least 1 restaurant is known to be located, at least 3 times per week. With ap arguments ap2-ap5 being equal to zero, process 537 purges all collected consumer data not relating to the definitions of arguments ap1 and ap6 from the data output communicated to the following data analysis process. In this case that is Consumer Data Argument Value Generation Process 541. Thus, the CSV text file output from Process 537 may contain a sequence of data elements where the first data element contains the appliance user's anonymous identifier, the second data element contains the time at which the appliance user visited a restaurant review website, the third data element contains the URL of the restaurant review website visited, the fourth data element contains the time at which the appliance user visited a restaurant website, and the fifth data element contains the URL of the restaurant review website visited, which may be the same URL as appeared in the third data element if the appliance user was still visiting the same website when the next appliance user consumer data sample was collected. This sequence continues until no more data pertaining to the definition of ap1 appears in the CSV text file input to Process 537. Immediately following the last data element pertaining to the definition of ap1 could be 3 commas in a row, to indicate that appliance user consumer data related to another ap argument definition, in this case ap6, will now appear in the CSV text file. In accordance with the definition of ap6, the next data element in the sequence contains the time the data element was collected, and the following data element in the sequence contains the GPS coordinates of the appliance user's location at the time of consumer data collection. This sequence repeats at the consumer data collection rate until the end of the file.

The parsed and grouped appliance user consumer data CSV text file generated by Process 537 is communicated through Inter-process Communication 539 to Process 541. Process 541 first gathers statistics associated with the consumer data. These statistics may include, but not be limited to, a tabulation of the number of restaurant review websites the appliance user physically visited over the time period during which the data contained in the CSV text file was collected, the number of different locations the appliance user visited over the time period during which the data contained in the CSV text file was collected, the number of times the appliance user visited each location over the time period during which the data contained in the CSV text file was collected, the date and time the appliance user visited the location, the length of time the appliance user remained at each location, and the GPS coordinates of the locations the appliance user remained at for more than 30 minutes but less than 90 minutes. The tabulated data is then analyzed for the purpose of generating consumer data argument values. In this case only arguments ap1 and ap6 are generated because, as previously discussed, all arguments except for arguments ap1 and ap6 have been set to 0 for this simplified example. For the generation of the value of argument ap1, the analysis could employ the number of restaurant review websites the appliance user visited over a period of time. This data is contained in the tabulated appliance user consumer data being analyzed. Given the definition of argument ap1, if the tabulated appliance user consumer data shows the appliance user visited, on average, 5 restaurant review websites per month, ap1 could be assigned a value of 50 as a result of the analysis process. For the generation of the value of argument ap6, the analysis could employ the number of different locations the appliance user physically visited, the number of times the appliance user visited each location, the date and time the appliance user visited the location, the length of time the appliance user remained at each location, and the GPS coordinates of the locations the appliance user remained at for more than 30 minutes but less than 90 minutes. Given the definition of argument ap6, if the tabulated appliance user consumer data shows the appliance user remained at a location for between 30 and 90 minutes, where at such location at least 1 restaurant is known to be located, 1 time per week, apt 6 could be assigned a value of 33 as a result of the analysis process. In order to determine if at least 1 restaurant is located at a location physical visited by the appliance user, the analysis performed by Process 541 could use data obtained by SCDE 360 from Data Sources 325 over line 347, as shown in FIG. 3. In this example, Data Sources 325 provides, among other data, data listing businesses located at or within walking distance from submitted GPS coordinates.

The generated ap argument values are output from Process 541 and communicated through Inter-process Communication 543 to Process 545 along with the appliance user's anonymous identifier. Process 545 employs the communicated ap argument values to determine whether the appliance user's anonymous identifier should be aggregated with a set of other appliance user anonymous identifiers. Process 545 selects the appliance user's anonymous identifier for aggregation if one or more ap argument values derived from the appliance user's collected consumer data is within a predefined ap value range, where each ap argument may utilize a different ap value range. If one or more ap values are not within their predefined range the appliance user's anonymous identifier is not selected for aggregation. The number of ap argument values used could be defined by Media Agency 310 or SCDE 360, and depends on how focused the anonymous identifier selection process is to be. The more ap argument value ranges that need to be satisfied, the more focused the anonymous identifier selection process. A more focused anonymous identifier selection process causes a lower number of anonymous identifiers to be selected for inclusion in the aggregate set of anonymous identifiers. Recall that in this discussion ap argument values indicate the degree the appliance user's collected consumer data satisfies a delineated parameter either directly supplied by Media Agency 310 or derived from consumer attributes supplied by Media Agency 310. The ap value ranges used by Process 545 may be defined in many ways. For example, they may be empirically defined by Media Agency 310 or SCDE 360, defined by Media Agency 310 based on data supplied to Media Agency 310 by Data Sources 325 over Line 303, or defined by SCDE 360 based on data provided to SCDE 360 by Data Sources 325 over Line 347. If the ap value ranges are defined by Media Agency 310, they would be communicated to SCDE 360 over Line 380. Such data may include demographic data, GPS location data, web analysis data, other data, or a combination thereof. Therefore, since Process 545 selects appliance user anonymous identifiers for inclusion in the aggregate set of anonymous identifiers, whose related analyzed consumer data display one or more ap argument values that fall within one or more predefined ranges, the aggregate set of anonymous identifiers generated by following Process 549 will contain anonymous identifiers that point to appliance users whose consumer data have at least one delineated parameter in common. Previously discussed Scheme procedure “add-to-aggregate-set?” can be used by Process 545 for such appliance user's anonymous identifier selection.

The selected appliance user anonymous identifier is output from Process 545 and communicated through Inter-process Communication 547 to Process 549. Process 549 also receives a file containing the set of appliance user anonymous identifiers to which the appliance user's anonymous identifier is be aggregated with, from Process 525 through Inter-process Communication 555. The set may be contained in a text file where each appliance user anonymous identifier is separated from the following identifier by an ASCII line feed character thus causing each identifier to reside on a separate line of the file when the file is viewed, a comma delimited CSV text file where each anonymous identifier is separated from the following identifier by an ASCII comma character, or any other data carrying file capable of being sorted and added to. Prior to communicating the file to Process 549, Process 525 decrypts the file. Such decryption is necessary because, in this example, the file containing the set of appliance user anonymous identifiers is stored in Data Storage Unit 509 in encrypted form and retrieved by Data Storage/Retrieval Process 521 from Data Storage Unit 509 in encrypted form. Thus, Process 525 needs to decrypt the file containing the set of anonymous identifiers received from Process 521 through Inter-process Communication 523 prior to communicating the file to Process 549. Subsequent to receiving the decrypted file, Process 549 concatenates the selected appliance user anonymous identifier with the set of appliance user anonymous identifiers contained in the received file. Although concatenation is specified in this example, other combinatorial approaches can be employed to effect the aggregation. The resulting aggregate set of anonymous identifiers may then be sorted in various ways, such as in ascending or descending anonymous identifier order. Such sorting may be effected for the purpose of facilitating the use of the aggregate set of identifiers at a later time.

Process 549 marks the aggregate set of appliance user anonymous identifiers with an aggregate set identification code and communicates the aggregate set in the form, for example, of an ASCII line feed character delimited text file to Process 525 through Inter-process Communication 555. In the following discussion, Process 525 encrypts the file using public/private key cryptography, although encryption based on other cryptography approaches can be employed. The file is encrypted in order to allow Data Storage Process 521, which receives the file data through Inter-process Communication 523, to store the file on Data Storage Unit 509 for later use as securely as possible. Strictly speaking, storing the line feed character delimited text file containing the aggregate set of appliance user anonymous identifiers in encrypted form is not required. However, encrypting the file increases the security of the data stored in the file, and should the file be accessed by unauthorized entities, deters such entities from readily being able to read and use the data contained in the file. This deterrence is an important factor in: a) providing the appliance user with confidence that their consumer data is protected and unavailable to entities who should not have access to their data, and b) facilitating compliance with government consumer privacy legislation and regulations.

Pretty Good Privacy (PGP) or Gnu Privacy Guard (GnuPG), as well as other public/private key software programs, can be used for encrypting and decrypting sensitive files. Public-key cryptography refers to a cryptographic system that uses a key pair, one key of the pair is private and the other key of the pair is public. In the preferred embodiment of the present invention, the public key is used to encrypt a file, and the private key is used to decrypt the file. Although different, the two keys of the key pair are mathematically related, but one cannot be derived from the other. Therefore, the public key can be communicated “in the clear” without being protected in any way, as long as the private key remains a secret of the key owner. Prior to the encryption and storage on Data Storage Unit 509 of the aggregate set of appliance user anonymous identifiers generated by Process 549 or the de-identified and combined consumer data generated by Process 533, Public Private Key Generation Process 529 creates both the public and private keys used by SCDE 360. Since SCDE 360 is the only entity that possesses the private key of the key pair, SCDE 360 is the only entity capable of decrypting the encrypted file.

After Process 549 marks the aggregate set of appliance user anonymous identifiers with an aggregate set identification code, as shown in FIG. 4 Block 452, the identification code is communicated through Inter-Process Communication 551 to Interface With Media Agency Process 553, along with the ad campaign number associated with the consumer attributes or delineated parameters used by Processes 545 and 549 to generate the aggregate set of appliance user identifiers. As shown in Block 406 of FIG. 4, the ad campaign number is communicated to SCDE 360 by Media Agency 310 along with the consumer attributes or delineated parameters used by Processes 545 and 549. Process 553 in conjunction with Network Communication Interface 515 and Network Connection Line 507 then communicates the aggregate set identification code and ad campaign number to Media Agency 310 over FIG. 3 Line 380, as shown in Block 454 of FIG. 4.

As shown in FIG. 4 Block 400, Advertiser 305 initiates an advertising campaign by communicating targeted consumer attributes to Media Agency 310. In Block 402, Media Agency 310 communicates the targeted consumer attributes to DMP 320 over Line 390, and in Block 404, DMP 320 generates delineated parameters or selection algorithms based on the consumer attributes and communicates these parameters or algorithms to Media Agency 310 over Line 390. In Block 406, Media Agency 310 designs the ad campaign initiated by Advertiser 305 based on consumer attributes or delineated parameters from DMP 320, and communicates consumer attributes, delineated parameters or selection algorithms to SCDE 360 over Line 380, along with the ad campaign number. Strictly speaking DMP 320 need not be employed to generate the delineated parameters or selection algorithms used by Media Agency 310 or SCDE 360. Delineated parameters or selection algorithms could be generated by Media Agency 310 itself, or by SCDE 360, based on communicated targeted consumer attributes.

Following ad campaign design in Block 406, Media Agency 310 obtains the entertainment, news. educational, game or promotional content, for example, called for by the ad campaign design from Content Sources 330 over Line 307, as shown in Block 408, and generates the ad campaign, as shown in Block 410. The generated ad campaign is then communicated to Publisher 340 over Line 335 and Publisher 340 publishes the ad campaign to Ad Campaign Website 350 over Line 375, as shown in Block 412. In Block 414, Media Agency 310 first receives an ad campaign number and the appliance user anonymous identifier aggregate set identification code associated with the ad campaign number, from SCDE 360. Media Agency 310 then communicates a description of an offer for goods or services, with the related ad campaign website address, ad campaign number, and aggregate set identification code, to SCDE 360. In Block 456, SCDE 360, on behalf of Media Agency 310, communicates the offer description and related ad campaign website address to the appliance users whose anonymous identifiers comprise the aggregate set marked with the received identification code. In this example of the preferred embodiment of the present invention, the anonymous identifier of the user of Network Connected Appliance 345 is included in the aggregate set.

There are many ways for SCDE 360 to effect the communication of the description of an offer for goods or services, with the related ad campaign website address, to Network Connected Appliance 345. One such way is for SCDE 360 to communicate Media Agency's 310 offer description and related ad campaign website address to Appliance 345 at the time SCDE 360 receives an encrypted CSV text file from Appliance 345 containing the appliance user's anonymous identifier and consumer data. The communication channel established between SCDE 360 and Appliance 345 can be used by SCDE 360 to first receive the encrypted CSV text file, decrypt the file, parse the file to obtain the anonymous identifier of the user of Appliance 345, determine the aggregate set of anonymous identifiers the user of Appliance 345 is a member of, compare the delineated parameters or selection algorithms used to generate the aggregate set with those provided by Media Agency 310, and, if a match is found, communicate Media Agency 310's offer description and related ad campaign website address to Appliance 345 over the established communication channel. This sequence of actions can be repeated for each appliance user and advertiser served by SCDE 360, such that over a period of time offers from advertisers can be delivered to the appliance users most interested in receiving them. This period of time can be quite short, for the software program executing on Network Connected Appliance 345, to be later discussed, can be configured such that Appliance 345 automatically connects with SCDE 360 multiple times per day to upload encrypted CSV text files containing appliance user consumer data and for other purposes.

Once Media Agency 310's offer description and related ad campaign website address is communicated to Appliance 345, if the offer is of interest, the appliance user may click on the offer description and effect communication with Ad Campaign Website 350 over Line 395 through Proxy Server 315 and Line 370. When the offer is clicked on, Appliance 345 notifies SCDE 360, by use of a communication over Line 395 through Proxy Server 315 and Line 365, that the appliance user clicked on the offer description and is in communication with Ad Campaign Website 350. The communication includes the appliance user's anonymous identifier and the ad campaign website address. This is shown in Block 458. In Block 460, SCDE 360 communicates the identification code of the aggregate set of anonymous identifiers associated with the ad campaign offer, of which the appliance user's anonymous identifier is a member, to Appliance 345 over Line 365 through Proxy Server 315 and Line 395. The communication includes the appliance user's anonymous identifier and the ad campaign website address. Appliance 345 then communicates the identification code to Ad Campaign Website 350 over line 395 through Proxy Server 315 and Line 370. The identification code is communicated from Ad Campaign Website 350 over line 375 to Publisher 340, who in turn communicates the identification code to Media Agency 310 over Line 335. As shown in Block 462, Media Agency 310 compares the identification code communicated to Media Agency 310 by SCDE 360 in Block 454 with the identification code communicated to Media Agency 310 by Publisher 340 in Block 460, originating from Appliance 345. If the identification codes match, the appliance user is verified as being a member of the set of anonymous appliance users whose collected consumer data indicate that they have a heightened interest in the content, product, or service being promoted by Advertiser 305's ad campaign. Since the greater the number of verified appliance users visiting the ad campaign website, the greater the efficacy of the ad campaign, this aspect of the present invention generates a metric that directly relates to the efficacy of the ad campaign.

The completion of the advertising transaction of the preferred embodiment of the present invention is shown in Block 464, where the appliance user of Appliance 345 views and interacts with the advertisement, and its entertainment, news, educational, game or promotional elements, on Ad Campaign Website 350, through Proxy Server 315.

We now turn to FIGS. 6, 7, 8A and 8B to discuss a network connected appliance of the preferred embodiment of the present invention. FIG. 6 is a block diagram of a network connected appliance of the present invention, such as Appliance 345. Although not indicated in FIG. 6, Appliance 345 could be a desktop personal computer (PC), a laptop PC, a notebook PC, a netbook PC, an Ultrabook PC, a Chromebook PC, a tablet computer, a smartphone, a gaming console, a smartwatch, a “Blu-ray” player with Internet connectivity, a smart TV, an Internet TV, an IPTV, a set top box, a digital media receiver (Apple TV, Google TV, or Roku streaming media player, for example), or any other network connected appliance capable of sending or receiving data over a network. FIG. 6 depicts the elements that comprise such an appliance. FIG. 7 is a process flowchart of a network connected appliance of the present invention, and FIGS. 8A and 8B illustrate example offer display screens presented to a user of a network connected appliance of the present invention.

The Appliance 345 actions to be discussed are performed by Central Processor Unit (CPU) 600 of FIG. 6, as controlled by processes executed on CPU 600. Outlined double headed Arrow 627 indicates that Processes 650, which take the physical form of one or more software program applications (apps) stored on RAM/Flash And Systems Memory 625, are executed on CPU 600 to effect such control. In the preferred embodiment of the present invention, RAM/Flash And Systems Memory 625 takes the form of high speed Random Access Memory for program application execution, and flash memory for nonvolatile program application storage. However other forms of memory, such as magnetic hard disk or optical memory may be used for nonvolatile storage, and, in the future, magnetless spin memory (MSM) may be able to be used for program application execution.

As shown in FIG. 7 Block 700, the appliance user first downloads and installs an app from Secure Consumer Data Exchange (SCDE) 360 on to Appliance 345. This app may also be downloaded and installed from app distributors, such as Google Play, the Google app store, iTunes, the Apple app store, or Firefox Marketplace, the Firefox app store. It could also be downloaded and installed from another network connected appliance on which the SCDE app has already been installed. Alternatively, the SCDE app could be installed from removable physical media where the SCDE app code resides, where such removable physical media could be a flash drive, SD drive, or optical media, where the optical media could be Blu-ray, DVD, or Compact Disk (CD). Additionally, the SCDE app could be installed in RAM/Flash And Systems Memory 625 at the time of Appliance 345's manufacture.

Through the use of software installed in Systems memory 625 at the time of Appliance 345's manufacture, the acquisition and installation of the SCDE App can be effected by CPU 600 through a number of communication interfaces. These communication interfaces include: Wired Or Wireless Network Communication Interface 635, using Wireless Communication Channel 631, employing Wi-Fi or 4G wireless connections for example, or Wired Communication Channel 633, employing an Ethernet connection for example; Bluetooth Transceiver 611; or Universal Serial Bus (USB) Interface 669. Initiated by appliance user interaction with Display Screen 603, as controlled by User Interface And Consumer Data Collection Process 637, CPU 600 communicates with SCDE 360, for example, through Web Browser Process 643, over a network such as the Internet, the desire of the appliance user to obtain and install the SCDE app. CPU 600 establishes communications with SCDE 360 over Line 629 through the use of Wired Or Wireless Communication Interface 635. Network Communications Interface 635 employs Wireless Communication Channel 631, depicted as an antenna symbol in FIG. 6, for the wireless communication channel, or Wired Communications Channel 633, depicted in FIG. 6 as an Ethernet connector symbol, for the wired communication channel. Once the communications channel between Appliance 345 and SCDE 360 has been established, SCDE 360 communicates the SCDE executable app code to Communications Interface 635, which sends the executable app code over Line 629 to CPU 600. CPU 600 then effects storage of the app code in Systems Memory 625, over line 623, from where it can be executed. Such execution may be started automatically by CPU 600 upon completion of app installation, or by the appliance user clicking on the “Start SCDE” icon that appears on Display Screen 603, as controlled by User Interface Process 637.

As shown in FIG. 7 Block 702, upon execution, the installed SCDE app first displays SCDE 360 s's privacy policy on Display Screen 603. In Block 704, the appliance user can reject SCDE 360's privacy policy terms by clicking on the “Reject” icon appearing on Display screen 603. In the case of a non-touch display, the pressing action may be effected by clicking on the Reject icon by the use of a pointing device, such as a mouse. In the case of a touch screen display, the clicking action may be effected by touching the Reject icon with, for example, a finger or s stylus. Once the Reject button is clicked on, the app install is aborted and the app completely removes itself from Appliance 345, as shown in Block 708. The installation process then ends in Block 712. If in Block 706 the appliance user agrees to SCDE 360's privacy policy terms, by clicking on the “Accept” button appearing on Display Screen 603, CPU 600, as controlled by the SCDE app, first generates an appliance user anonymous identifier in Block 710, using Appliance User Password And Anonymous ID Generation Process 667 in communication with User Interface And Consumer Data Collection Process 637 through Inter-process Communication 665. Following this action, as shown in Block 714, CPU 600, as controlled by the SCDE app, generates an appliance user public/private key pair by use of Public/Private Key Generation Process 663 in communication with Encryption/Decryption Process 649 through Inter-process Communication 651, and also generates an appliance user password by use of Appliance User Password And Anonymous ID Generation Process 667. Then, in communication with User Interface And Consumer Data Collection Process 637, through Inter-process Communication 665, CPU 600 displays the generated user password to the appliance user on Display Screen 603. As shown in Block 716, the appliance user may now accept the password for later use, by clicking on the OK icon that appears on Display Screen 603, or change the password to one that the appliance user is more comfortable with, and accept the changed password by clicking the OK icon. The appliance user's password is used by the SCDE app to assure that the appliance user's collected consumer data is linked with the correct appliance user anonymous identifier. This is necessary because a single network connected appliance may be used by multiple appliance users. The password will also be used to assure that offers communicated to Appliance 345 from Media Agency 310 through SCDE 360, are presented to the appropriate user of Appliance 345.

After the generation of the appliance user's anonymous identifier, public/private key pair, and user password, the SCDE app controls CPU 600 of Appliance 345 to start appliance user consumer data collection, as shown in Block 718. User Interface And Consumer Data Collection Process 637 controls CPU 600 to effect consumer data collection through the use of Touch Or Non-touch Display Screen 603, Pointing Device 605, Keyboard/Keypad 607, or GPS Receiver 609. Such collected consumer data may include, for example the websites the appliance user visited; what news articles, entertainment content product descriptions and advertisements were clicked on by the appliance user; the search terms used by the appliance user while searching for Internet content; what products or services were purchased by the appliance user on line; what social networking websites, association websites, and blogs the appliance user visited; how long the appliance user remained connected to each website; the physical location of the appliance user at predetermined time intervals; what “brick and mortar stores” the appliance user visited; as well as personal data. Such personal data may comprise the appliance users name, address and telephone numbers, age, socioeconomic status, place of work, names of friends and acquaintances, number of children, and marital status. In addition, collected consumer data may also include the consumer's network browsing, product purchase, and physical location histories, where such histories include the dates and times at which history events occurred. If the appliance user of Appliance 345 wishes to use the appliance for “private browsing” or wishes to not have their consumer data collected for any reason, the appliance user can disable the SCDE app, and stop consumer data collection, by clicking on the “Stop” icon that is displayed on Touch Or Non-Touch Display Screen 603 by CPU 600, as controlled by User Interface And Consumer Data Collection Process 637, while Appliance 345 is collecting consumer data. This potential appliance user action is also shown in Block 718.

As previously discussed, SCDE 360 receives encrypted consumer data from Appliance 345. In this preferred embodiment of the present invention, the consumer data is encrypted to SCDE 360's public key. It is therefore necessary for Appliance 345 to obtain SCDE 360's public key. Block 720 shows the SCDE app residing in RAM/Flash Systems Memory 625 controlling CPU 600 to use Wired Or Wireless Communication Interface 635 to communicate with SCDE 360, and obtain SCDE 360's public key from SCDE 360.

Prior to linking the consumer data collected by Appliance 345 with the appliance user's anonymous identifier, encrypting the consumer data and anonymous identifier to SCDE 360's public key, and communicating the encrypted consumer data and appliance user's anonymous identifier to SCDE 360, as shown in Blocks 724 and 726, it is preferable to de-identify the consumer data, as shown in Block 722. This optional step enhances consumer privacy and reduces the chances that the consumer data collected by Appliance 345 will be attributed to a particular individual, should there be a security breach at SCDE 360. Including but not limited to, De-identification removes: the appliance user's name; references to the appliance user's residence location such as street address, city, county, parrish, precinct, or zip code; numbers relating to the appliance user such as the appliance user's date of birth, age, date of admission to a school of higher learning, dates of admission and release from a heath care facility, fax numbers, email addresses, social security numbers, driver license numbers, medical record numbers, health plan beneficiary numbers, financial institution account numbers, credit card numbers, yearly income, total assets, savings accounts balances, society membership numbers, certificate/license numbers, vehicle identifiers and serial numbers, vehicle license plate numbers, device identifiers and serial numbers (such as the universally unique identifier (UUID) embedded in the appliance user's smart phones, tablet computers or personal computers), Internet Protocol (IP) address from which the appliance user communicates over the Internet, or the Media Access Control (MAC) addresses of the network interfaces used by the appliance user; images of the appliance user or the appliance user's friends, family and colleagues; images of the appliance user's residence, neighborhood, house of worship; and the appliance user's ethnicity or religion. Although the embodiment of the present invention being discussed performs de-identification within Appliance 345 prior to the communication of the consumer data to SCDE 360, de-identification could be performed at SCDE 360. Such de-identification could be performed either at the time of SCDE 360's receipt of the consumer data from Appliance 345 or after the consumer data is analyzed and the appliance user's anonymous identifier is aggregated with a set of other appliance user anonymous identifiers whose collected consumer data corresponds to at least one common delineated parameter from Media Agency 310, but before it is encrypted and stored in Data Storage 509 for latter use. If the consumer data from Appliance 345 is de-identified after the appliance user's anonymous identifier is aggregated with other appliance user's identifiers, the data would be stored in encrypted form when initially received by SCDE 360.

The consumer data collected by Appliance 345 and communicated to SCDE 360 becomes less representative of the appliance user's, likes, dislikes, desires and needs, as time progresses. Consumer data aging occurs because much of the consumer data collected by Appliance 345 reflects the consumer's current activities, age, socioeconomic level, education level, occupation, peer group pressures, and short term plans. In order to take continuous changes in consumer on line behavior into account, and be able to assign the consumers anonymous identifier to the most appropriate aggregate set of anonymous identifiers, the present invention can apply a “rolling storage” approach to the consumer data collected by Appliance 345 and communicated to SCDE 360. In one regimen in accordance with this approach, SCDE 360 accumulates the consumer data from Appliance 345 for the period of 6 months immediately after the SCDE app is installed in Appliance 345. Following this initial 6 month period, the first 3 months of collected consumer data from Appliance 345 is purged from Enterprise Server 500's Data Storage Unit 509, while the second 3 months of collected consumer data is retained. During the next 3 month period, the third 3 month period after SCDE app installation in Appliance 345, collected consumer data from Appliance 345 is combined with the previously stored and retained second 3 month period collected consumer data from Appliance 345. This sequence of purging 3 months of consumer data, followed by combining the remaining consumer data with 3 months of newly collected consumer data, can continue as long as the SCDE app is installed in Appliance 345. It assures that consumer data analyzed for delineated parameters supplied to SCDE 360 by Media Agency 310, reflects the current on line behavior of Appliance 345's user. The use of a rolling storage model by SCDE 360 also significantly improves consumer privacy, and thus, in addition to assuring that up to date consumer data is employed by SCDE 360 for data analysis, it facilitates compliance with government consumer privacy legislation and regulations. Such compliance facilitation is realized by the limiting of the amount of encrypted appliance user consumer data resident on Storage Unit 509 of Enterprise Server 500, thus significantly reducing the potential impact of a data compromising SCDE 360 security breach.

If the appliance user of Appliance 345 wishes to de-install the SCDE app, the appliance user can initiate SCDE app de-installation by clicking on the “De-install” icon that is displayed on Touch Or Non-Touch Display Screen 603 by CPU 600, as controlled by User Interface And Consumer Data Collection Process 637. Upon the initiation of the de-installation of the SCDE app from Appliance 345 by the appliance user, Appliance 345 communicates an encrypted message to SCDE 360, that includes the appliance user's anonymous identifier, informing SCDE 360 of the apps imminent de-installation from Appliance 345. Such a communication comes from CPU 600 through Wired Or Wireless Network Communications Interface 635, as controlled by the SCDE app residing in Ram/Flash And Systems Memory 625, just prior to the SCDE app's erasure from Systems Memory 625. Upon receipt of an SCDE app de-installation communication from Appliance 345, High Performance CPU 513 of FIG. 5 erases all encrypted consumer data files linked to the user of Appliance 345's anonymous identifier and black lists the appliance user's anonymous identifier so no further communication between SCDE 360 and Appliance 345 will take place. The act of removing all consumer data communicated to SCDE 360 from Appliance 345 residing on Storage Unit 509 upon the de-installation of the SCDE app from Appliance 345, further facilitates compliance with government consumer privacy legislation and regulations. Such further compliance is facilitated by assuring that after the user of Appliance 345 de-installs the SCDE app and “opts out” of having their consumer data collected and communicated to SCDE 360, thus rescinding authorization to do so, consumer data previously collected is no longer available.

During some of the communication sessions established by Appliance 345's CPU 600 with SCDE 360, as controlled by the SCDE app residing in Ram/Flash And Systems Memory 625, wherein collected encrypted consumer data and the linked anonymous identifier of the appliance user are communicated to SCDE 360, Appliance 345 may receive from SCDE 360 an offer for products, content, or services from Advertiser 305. These 2 actions are shown in Block 726 and Block 728. In the following discussion, the offer is part of an ad campaign generated by Media Agency 310 on behalf of Advertiser 305. This offer includes the website address where the ad campaign is hosted and a description of the offer. Communication between Appliance 345 and SCDE 360 may be initiated at predefined time intervals, such as once per hour, once per day, or a time interval determined to be commensurate with the collection of sufficient consumer data by Appliance 345 to warrant such communication. Communication between Appliance 345 and SCDE 360 may also be initiated when a defined amount of appliance user consumer data is collected. In this latter case, the time interval between communications can vary depending upon how many minutes Appliance 345 is used by the appliance user over a 24 hour time period. In a third approach, appliance user consumer data can be collected and communicated to SCDE 360 when the Appliance user is not using Appliance 345 for data intensive tasks, not using Appliance 345 at all or when network communication traffic is at a minimum. Other bases for time interval selection are possible.

If the user of Appliance 345 concludes that the offers received from SCDE 360 do not accurately reflect their interests, the user may wish to “reset” the consumer data used to determine the offers they receive. In this case, the preferred embodiment of the present invention provides a “Data Reset” icon that is displayed on Touch Or Non-Touch Display Screen 603 by CPU 600, as controlled by User Interface And Consumer Data Collection Process 637. Upon the initiation of consumer data reset by the user of Appliance 345, Appliance 345 communicates an encrypted message to SCDE 360, that includes the appliance user's anonymous identifier, indicating that the appliance user wishes their consumer data to be purged and new consumer data to be collected. Upon receipt of such communication, High Performance CPU 513 of FIG. 5 erases all encrypted consumer data files linked to the user of Appliance 345's anonymous identifier, and restarts the process of collecting new consumer data linked to Appliance User 345's anonymous identifier.

Upon receipt of an offer from SCDE 360, the offer is displayed on Touch Or Non-Touch Display Screen 603 by CPU 600, using User Interface And Consumer Data Collection Process 637, as controlled by the SCDE app. Such an offer display can take many forms. FIGS. 8A and 8B depicts 2 possible offer display screen arrangements. FIG. 8A depicts one such arrangement. In the arrangements of FIGS. 8A and 8B, multiple offers from multiple Advertisers, including Advertiser 305, are sorted into categories by CPU 600, as controlled by the SCDE app, before presentation on Touch Or Non-Touch Display Screen 603. The offers are then presented to the appliance user as a multilevel list, wherein the top level of the list is seen by the appliance user as a series of product or services categories. In FIGS. 8A and 8B this list is labeled “Dyna Deals!”. Referring to FIG. 8A, it can be seen that the first item in the list is labeled “Cameras”. If the appliance user is interested in offers, for example, on the purchase of a still or a movie camera, or repair of a camera, or camera accessories, such as lenses, memory cards or tripods, the appliance user may click on this item of the list. This action will cause the presentation on Display Screen 603 of a list of camera related offers, with offer descriptions, presently available to the appliance user. The descriptions accompanying these offers will include the website address where the offer is available. The descriptions can be incorporated in the presented list as short summaries. If a list item containing an offer from Advertiser 305 is clicked, Appliance 345 can be connected to Ad Campaign Website 350 where the advertising campaign initiated by Advertiser 305 in FIG. 4 Block 400, and generated by Media Agency 310 in FIG. 4 Block 410, has been published by Publisher 340 in FIG. 4 Block 412. The appliance user can then be presented with a detailed promotional presentation that includes full product descriptions, product reviews, related videos, news or entertainment content, sponsored content, native advertising content, games, or social networking opportunities, for example. The user interaction related to FIG. 8B is similar to that of FIG. 8A, however in FIG. 8B the traditional list format is replaced with a series of icons. In the case of FIG. 8B, there are 2 camera icons presented. One for still cameras and one for movies cameras. These appear in the last row of icons, 4^(th) and 5^(th) from the last icon in the row from the right, respectively. If the appliance user clicks on the still camera icon, the screen presentation will be replaced with a series of icons representing offers related to still cameras. Short descriptive text may accompany an icon. Clicking on an icon with an offer from Advertiser 305, as in the case of FIG. 8A, connects Appliance 345 to the website address were the ad campaign generated for Advertiser 305 by Media Agency 310 is hosted, and the appliance user is presented with a full description of the offer, possibly accompanied with additional promotional material. These actions are shown in Block 730 and Block 732 of FIG. 7.

As shown in Block 734, when the appliance user clicks on an item in the offer list, or an offer icon, Network Connected Appliance 345 communicates to SCDE 360 that the appliance user has clicked on an offer from Advertiser 305, and thereby has shown a desire to interact with the Ad Campaign related to Advertiser 305's offer. This communication includes the appliance user's anonymous identifier and the website address of the offer clicked on. For the purpose of measuring ad campaign efficacy, it is beneficial to verify that the anonymous identifier of the user of Appliance 345 is a member of the aggregate set of anonymous identifiers whose identification code was communicated to Media Agency 310 from SCDE 360 in FIG. 4 Block 454. Therefore, as shown in Block 736, immediately following SCDE 360's receipt of the communication from Appliance 345 indicating that the user of Appliance 345 has clicked on an offer from Advertiser 305, SCDE 360 communicates the aggregate set identification code, to which the user of Appliance 345 is a member, to Appliance 345, and Appliance 345 communicates the identification code to Ad Campaign Website 350. In Turn, Ad Campaign Website 350 communicates the identification code to Publisher 340, and Publisher 340 communicates the identification code to Media Agency 310, along with the address of Ad Campaign Website 350. A positive comparison by Media Agency 310 of the identification code received from SCDE 360 in Block 454 with the identification code received from Publisher 340 in Block 460 verifies that the user of Appliance 345 is a member of the aggregate set of anonymous identifiers marked with the identification code. In Block 738 the user of Appliance 345 views and interacts with Ad Campaign Website 350.

Although the web browsers often incorporated in network connected appliances at the time of manufacture can be employed to communicate with Ad Campaign Website 350, it is preferable, for reasons of consumer privacy, for the SCDE app to include its own web browser. This browser can be designed, for example, such that appliance user tracking objects incorporated into many web pages, such as cookies, local shared objects (LSO) and HTML5 databases, are accepted but not stored, thereby increasing appliance user privacy. Web Browser Process 643 executing on CPU 600 of Network Connected Appliance 345, communicating with User Interface And Consumer Data Collection Process 637, through Inter-process Communication 659, represents such a browser. In the preferred embodiment of the present invention, as shown in Block 738, Web Browser Process 643 is the web browser the user of Appliance 345 employs to access, view and interact with Ad Campaign Website 350.

In accordance with the principles of the present invention, each user who logs into Appliance 345 has a different set of credentials, that is password, anonymous identifier, and public/private key pair. Different user credentials are generated by the SCDE app for each appliance user when he or she first uses Appliance 345. Separate credentials allow consumer data collected by Appliance 345 to be correctly attributed to each appliance user, thus allowing each anonymous identifier included in an aggregate set of anonymous identifiers to point to a single appliance user, not multiple appliance users of a single network connected appliance. However, if an appliance user uses a plurality of network connected appliances, each of these appliances will generate, under the control of the SCDE app, a different set of credentials for the appliance user. This can lead to a single appliance user being associated with a plurality of anonymous identifiers, and a lower volume of collected consumer data associated with each of the appliance user's anonymous identifiers. Since the greater the volume of consumer data associated with an appliance user's anonymous identifier, the more accurate the SCDE's analysis of the data can be, it is advantageous to combine appliance user consumer data collected from each network connected appliance used by the appliance user, into a single combined set of consumer data. One way the preferred embodiment of the present invention effects such combining of consumer data is to cause each network connected appliance employed by the appliance user to incorporate the same appliance user credentials. The synchronization of credentials across multiple appliances employed by the appliance user can be accomplished in a number of ways. A first approach is to physically connect two or more of the user's appliances with an electrical cable, or cables, and, after the appliance user enters his or her passwords for the source and destination appliances, have the appliance user cause the SCDE apps resident on each of the destination user appliances to initiate an encrypted transfer and subsequent installation of credential data, overwriting any credential data previously residing on the destination appliances associated with the appliance user. A second approach can be to use an encrypted wireless communication for the transfer. For example, a Wi-Fi, Bluetooth, Near Field Communication (NFC) or infrared red (IR) optical connection can be employed. Here again the destination user's appliance, or appliances, initiates the encrypted transfer and subsequent installation of credential data. It is important for the destination appliance to initiate transfer and installation of the credential data in order to reduce the potential of such transfer and credential installation being effected by a hacker not associated with the appliance user. Such a wireless transfer can employ Bluetooth Transceiver 611, of Appliance 345, in conjunction with CPU 600, under the control of the SCDE app stored in RAM/Flash And Systems Memory 625.

In the following credential transfer discussion, it is assumed that only a source and a destination user appliance, in this example Destination Appliance 345B and Source Appliance 345A, takes part in the transfer operation. Taking advantage of the appliance user's source and destination appliance public/private keys, destination CPU 600 of Appliance 345B, using destination Bluetooth Transceiver 611, under the control of the destination SCDE app, first communicates to the source CPU 600 of Appliance 345A, under the control of the source SCDE app, the then current public key of the destination appliance. Following this action, CPU 600 of the source appliance, under the control of the source SCDE app, communicates, the public key of the source appliance to the destination appliance. Source CPU 600 then employs source Encryption/Decryption Process 649 to encrypt the source appliance user's credentials to the destination appliance's public key and, over source Inter-process communication 655, in conjunction with source User Interface And Data Collection Process 637, employs source Bluetooth Transceiver 611 to communicate the encrypted source appliance user's credentials to destination Appliance 345B. Destination CPU 600, after receipt of the encrypted source appliance credentials, over destination Bluetooth Transceiver 611, under the control of the destination SCDE app, then decrypts the source appliance user credentials, using destination Encryption/Decryption Process 649 over source Inter-process communication 655, in conjunction with source User Interface And Data Collection Process 637, then overwrites and installs the source appliance's credentials in the destination appliance, in place of the destination appliance's credentials. From this point forward, the appliance user will log into Appliance 345B with the same password as used to log into Appliance 345A, and all consumer data collected and communicated by Appliance 345B to SCDE 360 will be linked to the same anonymous identifier as that which is linked to consumer data collected and communicated to SCDE 360 by Appliance 345A. The appliance user may change his or hers log-in password at any time, on either Appliance 345 A or Appliance 345B, however, the anonymous identifier linked with consumer data collected by either of these appliances will not change. Since SCDE 360 only uses anonymous identifiers linked with received consumer data, and does not employ network connected appliance identifiers, such as UUIDs, or appliance user tracking objects, such as cookies, LSOs and HTML5 databases, to store and combine consumer data received at different times from network connected appliances in which the SCDE app is installed, SCDE 360 will not recognize that such consumer data is communicated from different network connected appliances. Therefore, consumer data communicated to SCDE 360 from a particular network connected appliance user will be combined across all the network connected appliances employed by the appliance user, and appropriately analyzed for enhanced interest in content, products or services offered by an advertiser, such as Advertiser 305. This can result in more accurate assignment of appliance user anonymous identifiers to aggregate sets of appliance user anonymous identifiers, and thereby lead to a higher advertising campaign return on investment.

Having thus described several aspects of the preferred embodiment of the present invention, it is to be appreciated that various alterations, modifications, and improvements will readily occur to those skilled in the art. Such alterations, modifications, and improvements are intended to be part of this disclosure, and are intended to be within the spirit and scope of the invention. Accordingly, the foregoing description and drawings are by way of example only. 

What is claimed is:
 1. A computer implemented method for effecting targeted access to anonymous users of a network, comprising: communicating to a computer processor unit at a first entity consumer data resulting from a user's use of a network connected appliance, the consumer data being linked with an appliance user anonymous identifier, wherein processing by the computer processor unit comprises: analyzing the consumer data by use of one or more delineated parameters, wherein said delineated parameters define an audience with heightened interest in an offering of a second entity; aggregating in accordance with the results of the analysis the appliance user's anonymous identifier with a set of appliance user anonymous identifiers linked with the consumer data of other appliance users, such that each appliance user anonymous identifier included in the aggregate set points to an appliance user whose collected consumer data corresponds to at least one delineated parameter in common with the collected consumer data of the other appliance users whose anonymous identifiers are included in the aggregate set, generating an aggregate set of anonymous identifiers, each anonymous identifier in the aggregate set pointing to a member of the audience, wherein said audience includes the appliance user; marking the aggregate set with an identification code; communicating the identification code from the first entity to the second entity; and providing the second entity with access to the audience through the first entity by use of the aggregate set identification code.
 2. The method of claim 1 wherein the electronic network is the Internet.
 3. The method of claim 1 wherein at least one delineated parameter used to analyze the consumer data is provided by the second entity.
 4. The method of claim 1 wherein the first entity communicates to the appliance user an offer available from the second entity.
 5. The method of claim 1 wherein the appliance communicates with the first entity when the appliance user initiates communication with a website where a second entity offering is available.
 6. The method of claim 1 wherein the first entity communicates the aggregate set identification code to the appliance.
 7. The method of claim 1 wherein the appliance communicates the aggregate set identification code to the second entity while communicating with a website where a second entity offering is available, and the aggregate set identification code is used by the second entity to verify that the appliance user is a member of the audience.
 8. A system for effecting targeted access to anonymous users of a network, comprising: a computer at a first entity, the computer being comprised of: a data storage unit a processor unit a network communications interface; and software stored on the data storage unit that control processes executed on the processor unit, wherein: the processor unit receives consumer data linked with an appliance user anonymous identifier resulting from the user's use of a network connected appliance, communicated to the processor unit through use of the network communications interface; the processor unit analyzes the consumer data by the use of one or more delineated parameters, wherein said delineated parameters define an audience with heightened interest in an offering of the second entity; the processor unit aggregates in accordance with the results of the analysis the appliance user's anonymous identifier with a set of appliance user anonymous identifiers linked with the consumer data of other appliance users, such that each appliance user anonymous identifier included in the aggregate set points to an appliance user whose collected consumer data corresponds to at least one delineated parameter in common with the collected consumer data of the other appliance users whose anonymous identifiers are included in the aggregate set, and generates an aggregate set of anonymous identifiers, each anonymous identifier in the aggregate set pointing to a member of the audience, wherein said audience includes the appliance user; the processor unit marks the aggregate set with an identification code; the processor unit communicates the identification code from the first entity to the second entity; and the processor unit provides the second entity with access to the audience by use of the identification code.
 9. The system of claim 8 wherein the electronic network is the Internet.
 10. The system of claim 8 wherein the first entity obtains at least one delineated parameter used to analyze the consumer data from the second entity.
 11. The system of claim 8 wherein the first entity communicates to the appliance user an offer available from the second entity.
 12. The system of claim 8 wherein the appliance communicates with the first entity when the appliance user initiates communication with a website where a second entity offering is available.
 13. The system of claim 8 wherein the first entity communicates the aggregate set identification code to the appliance.
 14. The system of claim 8 wherein the appliance communicates the aggregate set identification code to the second entity while communicating with a website where a second entity offering is available, and the second entity uses the aggregate set identification code to verify that the appliance user is a member of the audience.
 15. A network connected appliance for effecting targeted access to a user of the appliance, comprising: a processor; a memory; a network communications interface; and a computer program stored in said memory and executed on said processor wherein: the processor obtains authorization from the appliance user to collect and communicate the appliance user's consumer data to a first entity; the processor generates an appliance user anonymous identifier; the processor collects the appliance user's consumer data; the processor links the generated appliance user anonymous identifier with the collected consumer data; the processor communicates the consumer data and appliance user's anonymous identifier to the first entity by use of the network communications interface; the processor receives an offer from a second entity communicated by the first entity by use of the network communications interface; and the processor receives the identification code of an aggregate set of anonymous identifiers in which the appliance user's anonymous identifier is included from the first entity by use of the network communications interface.
 16. The appliance of claim 15 wherein the electronic network is the Internet.
 17. The appliance of claim 15 wherein the computer program is downloaded from the first entity.
 18. The appliance of claim 15 wherein the processor encrypts the consumer data prior to the network communications interface communicating the consumer data and appliance user's anonymous identifier to the first entity.
 19. The appliance of claim 15 wherein the processor establishes a communication session with the first entity by use of the network communications interface and receives a communication from the first entity that includes the offer from the second entity.
 20. The appliance of claim 15 wherein the network communication interface sends a communication to the first entity when the appliance user initiates communication with a website of the second entity. 